add authentication to catalog api endpoints

pgorecki · pgorecki · commit 380ead4f1d29 · 2023-07-10T21:25:15.000+02:00
diff --git a/src/api/dependencies.py b/src/api/dependencies.py
@@ -1,10 +1,10 @@
 from typing import Annotated
 
-from fastapi import Depends, HTTPException, Request
+from fastapi import Depends, Request
 from fastapi.security import OAuth2PasswordBearer
 
 from modules.iam.application.services import IamService
-from modules.iam.domain.entities import AnonymousUser
+from modules.iam.domain.entities import User
 from seedwork.application import Application, TransactionContext
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
@@ -16,19 +16,17 @@ async def get_application(request: Request) -> Application:
 
 
 async def get_transaction_context(
-    request: Request, app: Annotated[Application, Depends(get_application)]
+    app: Annotated[Application, Depends(get_application)],
 ) -> TransactionContext:
     """Creates a new transaction context for each request"""
 
     with app.transaction_context() as ctx:
-        try:
-            access_token = await oauth2_scheme(request=request)
-            current_user = ctx.get_service(IamService).find_user_by_access_token(
-                access_token
-            )
-        except HTTPException as e:
-            current_user = AnonymousUser()
+        yield ctx
 
-        ctx.dependency_provider["current_user"] = current_user
 
-        yield ctx
+async def get_authenticated_user(
+    access_token: Annotated[str, Depends(oauth2_scheme)],
+    ctx: Annotated[TransactionContext, Depends(get_transaction_context)],
+) -> User:
+    current_user = ctx.get_service(IamService).find_user_by_access_token(access_token)
+    return current_user
diff --git a/src/api/main.py b/src/api/main.py
@@ -3,6 +3,7 @@
 from fastapi import FastAPI, Request
 from fastapi.responses import JSONResponse
 
+from api.dependencies import oauth2_scheme  # noqa
 from api.routers import bidding, catalog, diagnostics, iam
 from config.api_config import ApiConfig
 from config.container import TopLevelContainer
@@ -17,17 +18,37 @@
 container.config.from_pydantic(ApiConfig())
 
 app = FastAPI(debug=container.config.DEBUG)
+
 app.include_router(catalog.router)
 app.include_router(bidding.router)
 app.include_router(iam.router)
 app.include_router(diagnostics.router)
 app.container = container
 
-# logger.info("using db engine %s" % str(container.engine()))
+logger.info("using db engine %s" % str(container.db_engine()))
+
+try:
+    import uuid
+
+    from modules.iam.application.services import IamService
+
+    with app.container.application().transaction_context() as ctx:
+        iam_service = ctx.get_service(IamService)
+        iam_service.create_user(
+            user_id=uuid.UUID(int=1),
+            email="user1@example.com",
+            password="password",
+            access_token="token",
+        )
+except ValueError as e:
+    ...
 
 
 @app.exception_handler(DomainException)
 async def unicorn_exception_handler(request: Request, exc: DomainException):
+    if container.config.DEBUG:
+        raise exc
+
     return JSONResponse(
         status_code=500,
         content={"message": f"Oops! {exc} did something. There goes a rainbow..."},
@@ -45,37 +66,17 @@ async def unicorn_exception_handler(request: Request, exc: EntityNotFoundExcepti
 
 
 @app.middleware("http")
-async def add_request_context(request: Request, call_next):
+async def add_process_time(request: Request, call_next):
     start_time = time.time()
-    # request_context.begin_request(current_user=CurrentUser.fake_user())
     try:
         response = await call_next(request)
         process_time = time.time() - start_time
         response.headers["X-Process-Time"] = str(process_time)
         return response
     finally:
         pass
-        # request_context.end_request()
 
 
 @app.get("/")
 async def root():
     return {"info": "Online auctions API. See /docs for documentation"}
-
-
-@app.get("/test")
-async def test():
-    import asyncio
-
-    logger.debug("test1")
-    await asyncio.sleep(3)
-    logger.debug("test2")
-    await asyncio.sleep(3)
-    logger.debug("test3")
-    await asyncio.sleep(3)
-    logger.debug("test4")
-    service = container.dummy_service()
-    return {
-        "service response": service.serve(),
-        "correlation_id": request_context.correlation_id,
-    }
diff --git a/src/api/routers/catalog.py b/src/api/routers/catalog.py
@@ -1,9 +1,10 @@
+import uuid
 from typing import Annotated
 from uuid import UUID
 
 from fastapi import APIRouter, Depends
 
-from api.dependencies import Application, get_application
+from api.dependencies import Application, User, get_application, get_authenticated_user
 from api.models.catalog import ListingIndexModel, ListingReadModel, ListingWriteModel
 from config.container import inject
 from modules.catalog.application.command import (
@@ -13,7 +14,6 @@
 )
 from modules.catalog.application.query.get_all_listings import GetAllListings
 from modules.catalog.application.query.get_listing_details import GetListingDetails
-from seedwork.application import Application
 from seedwork.domain.value_objects import Money
 
 """
@@ -54,19 +54,21 @@ async def get_listing_details(
 async def create_listing(
     request_body: ListingWriteModel,
     app: Annotated[Application, Depends(get_application)],
+    current_user: Annotated[User, Depends(get_authenticated_user)],
 ):
     """
     Creates a new listing.
     """
     command = CreateListingDraftCommand(
+        listing_id=uuid.uuid4(),
         title=request_body.title,
         description=request_body.description,
         ask_price=Money(request_body.ask_price_amount, request_body.ask_price_currency),
-        seller_id=request_context.current_user.id,
+        seller_id=current_user.id,
     )
-    command_result = app.execute_command(command)
+    app.execute_command(command)
 
-    query = GetListingDetails(listing_id=command_result.payload)
+    query = GetListingDetails(listing_id=command.listing_id)
     query_result = app.execute_query(query)
     return dict(query_result.payload)
 
@@ -76,13 +78,16 @@ async def create_listing(
 )
 @inject
 async def delete_listing(
-    listing_id, app: Annotated[Application, Depends(get_application)]
+    listing_id,
+    app: Annotated[Application, Depends(get_application)],
+    current_user: Annotated[User, Depends(get_authenticated_user)],
 ):
     """
     Delete listing
     """
     command = DeleteListingDraftCommand(
         listing_id=listing_id,
+        seller_id=current_user.id,
     )
     app.execute_command(command)
 
diff --git a/src/api/routers/diagnostics.py b/src/api/routers/diagnostics.py
@@ -2,21 +2,30 @@
 
 from fastapi import APIRouter, Depends
 
-from api.dependencies import get_transaction_context
-from seedwork.application import TransactionContext
+from api.dependencies import (
+    TransactionContext,
+    User,
+    get_authenticated_user,
+    get_transaction_context,
+)
 
 from .iam import UserResponse
 
 router = APIRouter()
 
 
 @router.get("/debug", tags=["diagnostics"])
-async def debug(ctx: Annotated[TransactionContext, Depends(get_transaction_context)]):
+async def debug(
+    ctx: Annotated[TransactionContext, Depends(get_transaction_context)],
+    current_user: Annotated[User, Depends(get_authenticated_user)],
+):
     return dict(
         app_id=id(ctx.app),
-        user=UserResponse(
-            id=str(ctx.current_user.id), username=ctx.current_user.username
-        ),
         name=ctx.app.name,
         version=ctx.app.version,
+        user=UserResponse(
+            id=str(current_user.id),
+            username=current_user.username,
+            access_token=current_user.access_token,
+        ),
     )
diff --git a/src/api/routers/iam.py b/src/api/routers/iam.py
@@ -4,12 +4,7 @@
 from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
 from pydantic import BaseModel
 
-from api.dependencies import (
-    Application,
-    TransactionContext,
-    get_application,
-    get_transaction_context,
-)
+from api.dependencies import TransactionContext, get_transaction_context
 from config.container import inject
 from modules.iam.application.exceptions import InvalidCredentialsException
 from modules.iam.application.services import IamService
@@ -21,19 +16,25 @@
 class UserResponse(BaseModel):
     id: str
     username: str
+    access_token: str
 
 
-@router.get("/token", tags=["iam"])
-async def get_token(app: Annotated[Application, Depends(get_application)]):
-    return app.current_user.access_token
+class LoginResponse(BaseModel):
+    access_token: str
+    token_type: str
+
+
+# @router.get("/token", tags=["iam"])
+# async def get_token(ctx: Annotated[TransactionContext, Depends(get_transaction_context_for_public_route)]):
+#     return ctx.current_user.access_token
 
 
 @router.post("/token", tags=["iam"])
 @inject
 async def login(
     ctx: Annotated[TransactionContext, Depends(get_transaction_context)],
     form_data: OAuth2PasswordRequestForm = Depends(),
-):
+) -> LoginResponse:
     try:
         iam_service = ctx.get_service(IamService)
         user = iam_service.authenticate_with_name_and_password(
@@ -46,11 +47,14 @@ async def login(
             detail="Incorrect username or password",
         )
 
-    return {"access_token": user.access_token, "token_type": "bearer"}
+    return LoginResponse(access_token=user.access_token, token_type="bearer")
 
 
 @router.get("/users/me", tags=["iam"])
 async def get_users_me(
-    app: Annotated[Application, Depends(get_application)],
-):
-    return app.current_user
+    ctx: Annotated[TransactionContext, Depends(get_transaction_context)],
+) -> UserResponse:
+    user = ctx.current_user
+    return UserResponse(
+        id=str(user.id), username=user.username, access_token=user.access_token
+    )
diff --git a/src/api/tests/test_catalog.py b/src/api/tests/test_catalog.py
@@ -78,32 +78,35 @@ def test_catalog_list_with_two_items(app, api_client):
     assert len(response_data) == 2
 
 
-def test_catalog_create_draft_fails_due_to_incomplete_data(api, api_client):
-    response = api_client.post("/catalog")
+def test_catalog_create_draft_fails_due_to_incomplete_data(
+    api, authenticated_api_client
+):
+    response = authenticated_api_client.post("/catalog")
     assert response.status_code == 422
 
 
 @pytest.mark.integration
-def test_catalog_delete_draft(app, api_client):
+def test_catalog_delete_draft(app, authenticated_api_client):
+    current_user = authenticated_api_client.current_user
     app.execute_command(
         CreateListingDraftCommand(
             listing_id=UUID(int=1),
             title="Listing to be deleted",
             description="...",
             ask_price=Money(10),
-            seller_id=UUID("00000000000000000000000000000002"),
+            seller_id=current_user.id,
         )
     )
 
-    response = api_client.delete(f"/catalog/{str(UUID(int=1))}")
+    response = authenticated_api_client.delete(f"/catalog/{str(UUID(int=1))}")
 
     assert response.status_code == 204
 
 
 @pytest.mark.integration
-def test_catalog_delete_non_existing_draft_returns_404(api_client):
+def test_catalog_delete_non_existing_draft_returns_404(authenticated_api_client):
     listing_id = UUID("00000000000000000000000000000001")
-    response = api_client.delete(f"/catalog/{listing_id}")
+    response = authenticated_api_client.delete(f"/catalog/{listing_id}")
     assert response.status_code == 404
 
 
diff --git a/src/api/tests/test_diagnostics.py b/src/api/tests/test_diagnostics.py
@@ -2,6 +2,6 @@
 
 
 @pytest.mark.integration
-def test_debug_endpoint(api_client):
-    response = api_client.get("/debug")
+def test_debug_endpoint(authenticated_api_client):
+    response = authenticated_api_client.get("/debug")
     assert response.status_code == 200
diff --git a/src/conftest.py b/src/conftest.py
@@ -1,10 +1,13 @@
+import uuid
+
 import pytest
 from fastapi.testclient import TestClient
 from sqlalchemy import create_engine
 from sqlalchemy.orm import Session
 
 from api.main import app as fastapi_instance
 from config.api_config import ApiConfig
+from modules.iam.application.services import IamService
 from seedwork.infrastructure.database import Base
 
 
@@ -36,6 +39,24 @@ def api_client(api, app):
     return client
 
 
+@pytest.fixture
+def authenticated_api_client(api, app):
+    access_token = uuid.uuid4()
+    with app.transaction_context() as ctx:
+        iam: IamService = ctx[IamService]
+        current_user = iam.create_user(
+            uuid.UUID(int=1),
+            email="user1@example.com",
+            password="password",
+            access_token=str(access_token),
+            is_superuser=False,
+        )
+    headers = {"Authorization": f"bearer {access_token}"}
+    client = TestClient(api, headers=headers)
+    client.current_user = current_user
+    return client
+
+
 @pytest.fixture
 def app(api, db_session):
     app = api.container.application()
diff --git a/src/modules/catalog/application/command/delete_listing_draft.py b/src/modules/catalog/application/command/delete_listing_draft.py
diff --git a/src/modules/catalog/domain/rules.py b/src/modules/catalog/domain/rules.py
diff --git a/src/modules/catalog/tests/application/test_delete_listing_draft.py b/src/modules/catalog/tests/application/test_delete_listing_draft.py
diff --git a/src/modules/iam/application/services.py b/src/modules/iam/application/services.py
